On Thu, Jul 22, 2010 at 20:23:22 -0500, Jonathan Nieder wrote: > Greg Brockman wrote at <http://bugs.debian.org/590026>: > > > A fix for an exploitable buffer overrun (CVE-2010-2542, per [1]) was > > committed to git in [2]. In particular, if an attacker were to create > > a crafted working copy where the user runs any git command, the > > attacker could force execution of arbitrary code. > > > > This attack should be mitigated to a denial of service if git is > > compiled with appropriate stack-protecting flags. > > > > This buffer overrun was introduced in [3], which first appeared in > > v1.5.6, and is fixed in v1.7.2. > > > > Greg > > > > [1] http://seclists.org/oss-sec/2010/q3/93 > > [2] > > http://git.kernel.org/?p=git/git.git;a=commit;h=3c9d0414ed2db0167e6c828b547be8fc9f88fccc > > [3] > > http://git.kernel.org/?p=git/git.git;a=commit;h=b44ebb19e3234c5dffe9869ceac5408bb44c2e20 > > More precisely, the problem is a buffer overrun when encountering a > file .git with the content > > gitdir: (something really long) > > When git checks the target of the .git file’s reference, it stores > the filename on the stack in a buffer of size PATH_MAX. > > (By contrast, the environment variable GIT_DIR=(something really long) > is protected against already.) > > This can be used for privilege escalation when a privileged user > runs a git command that checks for a repository (like ‘git ls-remote’) > in /tmp and outside of any git repository, for example. > Hi Jonathan,
are you preparing an upload to sid for this as well? Do you need sponsorship? Cheers, Julien
signature.asc
Description: Digital signature
